Session Cookies, sessionStorage, and IE8 or “How can I log into two webmail accounts at the same time?”

For Internet Explorer 8, we’ve made browser session handling a lot simpler. For instance, say you want to have two Hotmail windows open, each logged into a different account. Simply click the New Session item on the File menu, and a new browser window will open. The new browser window will not share session cookies with the original browser window, so you can log into Hotmail (and most web applications) as a different user. For command line junkies, you can run iexplore.exe with the -nomerge parameter.

In contrast, if you click New Window, New Tab, or Duplicate Tab on the File menu, or click on a desktop shortcut, the new tab or window will share session cookies with the original tab. This is called “session merging.”

Why do browsers implement Session Merging?

Proper support for Session Merging is important because most web applications are written to expect it. For instance, when a web application opens a popup window, it usually does so with the expectation that the popup window will share cookies with the main window, so that the user will remain logged in and their preferences will remain available, etc. Similarly, when the user uses the Duplicate Tab command, they reasonably expect the new tab to show them the same content as the original tab-- sharing cookies is critical for that scenario to work correctly.

On the other hand, the authors of the HTML5 draft noted that cookie sharing across windows and tabs can introduce some problems:

For example, a user could be buying plane tickets in two different windows, using the same site. If the site used cookies to keep track of which ticket the user was buying, then as the user clicked from page to page in both windows, the ticket currently being purchased would "leak" from one window to the other, potentially causing the user to buy two tickets for the same flight without really noticing.

For that reason, the HTML5 sessionStorage feature is designed such that even tabs within the same browser session have independent storage objects. If you change a sessionStorage attribute’s value in one tab, that change won’t be reflected within another tab, even within the same browser session. In contrast, the localStorage attribute behaves more like a persistent cookie—changes to localStorage attribute’s values are reflected in all browser tabs within all active (and future) browser sessions.

I’ve created a simple test page which you can use to explore session merging and IE8’s New Session option.

-Eric Lawrence

Update 1/11/2010: Someone recently asked if there's a way to start a "NoMerge" session via the CoCreateInstance COM API rather than by directly executing iexplore.exe with the command line parameter. Unfortunately, that scenario is not presently supported. In contrast, the IELaunchURL API always launches IE using the NoMerge option.